CVE bug system has bugs – quick, use this alternative, say hackers

Allege critical software vulns ignored in huge backlog

Frustrated security professionals acting on behalf of equally irritated researchers unable to gain Common Vulnerabilities and Exposures (CVE) numbers for their bugs have started an alternative numbering system to help triage what they describe as a huge backlog of ignored software flaws.

Several prominent researchers are now backing the Distributed Weakness Filing (DWF) System badged as an alternative for the herds of researchers unable to gain the CVE for their legitimate vulnerabilities.

The researchers say the movement is a response to inaction from US government-funded CVE-handler MITRE Corporation over the last six months. They claim it has allocated far fewer CVE numbers to vulnerabilities and has been much less responsive to requests from researchers.

MITRE has been contacted for comment.

Common Vulnerabilities and Exposures numbers are the numerical tags assigned to legitimate verified bugs that act as a single source of truth for security companies and engineers in corporate offices to assign and apply patches.

It is crucial for the security of software and for decades has been assigned – largely for US technology – by the MITRE Corporation.

Dozens of researchers from multiple countries – from upstart hackers to competent experts with track records – have told this reporter they have been unable to gain a CVE number from MITRE.

The effects of the alleged radio silence are tangible; the Reg understands that many US government agencies do not react to disclosed vulnerabilities that are not catalogued by the National Vulnerability Database – which in turn ignores bugs that lack assigned CVEs.

Some large private sector corporations also respond only to CVE-numbered bugs – leading to the possibility that legitimate and critical vulnerabilities may remain unpatched due to MITRE's alleged unwillingness to allocate a CVE number to them.

However, while the number of bugs is outpacing the speed at which vulnerability numbers are allocated, researchers say not enough is being done to cover important and forgotten critical bugs in popular software. Some researchers say they have held off disclosure as a result, while many are published without CVE tracking.

Kurt Seifried, who established the alternative system, is a Red Hat security staffer and MITRE board member but speaks to The Register in his personal capacity.

He says the system could remain a bridge for those cut out of CVE allocation or, in the worst case scenario, become a full-blown replacement to it with eventual co-opting of the CVE title.

"We are really seeking a response from MITRE," Seifried says, adding he would be glad to retire the effort should MITRE fill the gap.

"Your first job is to get CVEs out the door, and the second is to engage with industry and neither of those is happening.

"I planned to maybe launch this (DWF) in the summer, but I saw that it was getting worse and we as an industry just can't do another four months of no one getting CVEs.

Seifried and other researchers contacted by this reporter say they have tried hard to inquire and lobby MITRE for CVE allocation – to no avail.

It has sparked a series of complaints sent to this reporter and posted in public online mailing lists.

A researcher known as Radek said he'd failed to elicit a response when disclosing his OS X vulnerabilities.

"I have not heard back from MITRE," he says. "I am a little bit confused why vulnerability like this one which affects few hundreds or even more applications do not have a CVE assigned. It is ridiculous in my opinion."

Security researcher David Jorm says some prominent researchers able to gain immediate CVEs harbour such disdain for the alleged allocation failings they have submitted entirely fake and mocking bugs and still received CVE numbers.

"There are a lot of legitimate researches who can't get CVE," Jorm says. "It seems that you need to be a rock star to get a number."

Jorm, a respected security researcher in Australia, says the rules and procedures for allocation need to be clearly defined for the stability of the technology industry.

"A lot of feeds aggregate CVEs for vulnerability and threat intelligence platforms, as do a lot of vulnerability scanners; the downstream impact is enormous," he says.

The DWF system will largely map and complement CVE such that CVE-2016-0101 will become DWF-2016-0101. It has, like the CVE system, corporations serving as numbering authorities. Interested researchers can look over the DWF system at GitHub. ®